2 * QEMU Xen emulation: The actual implementation of XenStore
4 * Copyright © 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
6 * Authors: David Woodhouse <dwmw2@infradead.org>, Paul Durrant <paul@xen.org>
8 * This work is licensed under the terms of the GNU GPL, version 2 or later.
9 * See the COPYING file in the top-level directory.
12 #include "qemu/osdep.h"
13 #include "qom/object.h"
15 #include "xen_xenstore.h"
16 #include "xenstore_impl.h"
18 #include "hw/xen/interface/io/xs_wire.h"
20 #define XS_MAX_WATCHES 128
21 #define XS_MAX_DOMAIN_NODES 1000
22 #define XS_MAX_NODE_SIZE 2048
23 #define XS_MAX_TRANSACTIONS 10
24 #define XS_MAX_PERMS_PER_NODE 5
26 #define XS_VALID_CHARS "abcdefghijklmnopqrstuvwxyz" \
27 "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
30 typedef struct XsNode {
35 #ifdef XS_NODE_UNIT_TEST
36 gchar *name; /* debug only */
40 typedef struct XsWatch {
49 typedef struct XsTransaction {
51 unsigned int nr_nodes;
57 struct XenstoreImplState {
59 unsigned int nr_nodes;
61 unsigned int nr_domu_watches;
62 GHashTable *transactions;
63 unsigned int nr_domu_transactions;
69 static void nobble_tx(gpointer key, gpointer value, gpointer user_data)
71 unsigned int *new_tx_id = user_data;
72 XsTransaction *tx = value;
74 if (tx->base_tx == *new_tx_id) {
75 /* Transactions based on XBT_NULL will always fail */
76 tx->base_tx = XBT_NULL;
80 static inline unsigned int next_tx(struct XenstoreImplState *s)
84 /* Find the next TX id which isn't either XBT_NULL or in use. */
87 } while (tx_id == XBT_NULL || tx_id == s->root_tx ||
88 g_hash_table_lookup(s->transactions, GINT_TO_POINTER(tx_id)));
91 * It is vanishingly unlikely, but ensure that no outstanding transaction
92 * is based on the (previous incarnation of the) newly-allocated TX id.
94 g_hash_table_foreach(s->transactions, nobble_tx, &tx_id);
99 static inline XsNode *xs_node_new(void)
101 XsNode *n = g_new0(XsNode, 1);
104 #ifdef XS_NODE_UNIT_TEST
106 xs_node_list = g_list_prepend(xs_node_list, n);
111 static inline XsNode *xs_node_ref(XsNode *n)
113 /* With just 10 transactions, it can never get anywhere near this. */
114 g_assert(n->ref < INT_MAX);
121 static inline void xs_node_unref(XsNode *n)
132 g_byte_array_unref(n->content);
135 g_hash_table_unref(n->children);
137 #ifdef XS_NODE_UNIT_TEST
140 xs_node_list = g_list_remove(xs_node_list, n);
145 /* For copying from one hash table to another using g_hash_table_foreach() */
146 static void do_insert(gpointer key, gpointer value, gpointer user_data)
148 g_hash_table_insert(user_data, g_strdup(key), xs_node_ref(value));
151 static XsNode *xs_node_copy(XsNode *old)
153 XsNode *n = xs_node_new();
155 n->gencnt = old->gencnt;
157 n->children = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
158 (GDestroyNotify)xs_node_unref);
159 g_hash_table_foreach(old->children, do_insert, n->children);
161 if (old && old->content) {
162 n->content = g_byte_array_ref(old->content);
167 /* Returns true if it made a change to the hash table */
168 static bool xs_node_add_child(XsNode *n, const char *path_elem, XsNode *child)
170 assert(!strchr(path_elem, '/'));
174 return g_hash_table_remove(n->children, path_elem);
177 #ifdef XS_NODE_UNIT_TEST
179 child->name = g_strdup(path_elem);
182 n->children = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
183 (GDestroyNotify)xs_node_unref);
187 * The documentation for g_hash_table_insert() says that it "returns a
188 * boolean value to indicate whether the newly added value was already
189 * in the hash table or not."
191 * It could perhaps be clearer that returning TRUE means it wasn't,
193 return g_hash_table_insert(n->children, g_strdup(path_elem), child);
197 struct XenstoreImplState *s;
198 char path[XENSTORE_ABS_PATH_MAX + 2]; /* Two NUL terminators */
199 int (*op_fn)(XsNode **n, struct walk_op *op);
207 /* The number of nodes which will exist in the tree if this op succeeds. */
208 unsigned int new_nr_nodes;
211 * This is maintained on the way *down* the walk to indicate
212 * whether nodes can be modified in place or whether COW is
213 * required. It starts off being true, as we're always going to
214 * replace the root node. If we walk into a shared subtree it
215 * becomes false. If we start *creating* new nodes for a write,
216 * it becomes true again.
218 * Do not use it on the way back up.
226 static void fire_watches(struct walk_op *op, bool parents)
231 if (!op->mutating || op->in_transaction) {
239 w = g_hash_table_lookup(op->s->watches, op->path);
242 /* Fire the parent nodes from 'op' if asked to */
248 assert(strlen(op->path) > w->rel_prefix);
249 w->cb(w->cb_opaque, op->path + w->rel_prefix, w->token);
255 static int xs_node_add_content(XsNode **n, struct walk_op *op)
257 GByteArray *data = op->op_opaque;
261 * The real XenStored includes permissions and names of child nodes
262 * in the calculated datasize but life's too short. For a single
263 * tenant internal XenStore, we don't have to be quite as pedantic.
265 if (data->len > XS_MAX_NODE_SIZE) {
269 /* We *are* the node to be written. Either this or a copy. */
272 *n = xs_node_copy(old);
277 g_byte_array_unref((*n)->content);
279 (*n)->content = g_byte_array_ref(data);
283 static int xs_node_get_content(XsNode **n, struct walk_op *op)
285 GByteArray *data = op->op_opaque;
286 GByteArray *node_data;
291 node_data = (*n)->content;
293 g_byte_array_append(data, node_data->data, node_data->len);
299 static int node_rm_recurse(gpointer key, gpointer value, gpointer user_data)
301 struct walk_op *op = user_data;
302 int path_len = strlen(op->path);
303 int key_len = strlen(key);
305 bool this_inplace = op->inplace;
311 assert(key_len + path_len + 2 <= sizeof(op->path));
312 op->path[path_len] = '/';
313 memcpy(op->path + path_len + 1, key, key_len + 1);
316 g_hash_table_foreach_remove(n->children, node_rm_recurse, op);
321 * Fire watches on *this* node but not the parents because they are
322 * going to be deleted too, so the watch will fire for them anyway.
324 fire_watches(op, false);
325 op->path[path_len] = '\0';
328 * Actually deleting the child here is just an optimisation; if we
329 * don't then the final unref on the topmost victim will just have
330 * to cascade down again repeating all the g_hash_table_foreach()
336 static int xs_node_rm(XsNode **n, struct walk_op *op)
338 bool this_inplace = op->inplace;
340 /* Fire watches for, and count, nodes in the subtree which get deleted */
341 if ((*n)->children) {
342 g_hash_table_foreach_remove((*n)->children, node_rm_recurse, op);
354 * Passed a full reference in *n which it may free if it needs to COW.
356 * When changing the tree, the op->inplace flag indicates whether this
357 * node may be modified in place (i.e. it and all its parents had a
358 * refcount of one). If walking down the tree we find a node whose
359 * refcount is higher, we must clear op->inplace and COW from there
360 * down. Unless we are creating new nodes as scaffolding for a write
361 * (which works like 'mkdir -p' does). In which case those newly
362 * created nodes can (and must) be modified in place again.
364 static int xs_node_walk(XsNode **n, struct walk_op *op)
366 char *child_name = NULL;
368 XsNode *old = *n, *child = NULL;
369 bool stole_child = false;
374 namelen = strlen(op->path);
375 watch = g_hash_table_lookup(op->s->watches, op->path);
377 /* Is there a child, or do we hit the double-NUL termination? */
378 if (op->path[namelen + 1]) {
380 child_name = op->path + namelen + 1;
381 slash = strchr(child_name, '/');
385 op->path[namelen] = '/';
388 /* If we walk into a subtree which is shared, we must COW */
389 if (op->mutating && old->ref != 1) {
394 /* This is the actual node on which the operation shall be performed */
395 err = op->op_fn(n, op);
397 fire_watches(op, true);
402 /* op->inplace will be further modified during the recursion */
403 this_inplace = op->inplace;
405 if (old && old->children) {
406 child = g_hash_table_lookup(old->children, child_name);
407 /* This is a *weak* reference to 'child', owned by the hash table */
413 * Now we own it too. But if we can modify inplace, that's going to
414 * foil the check and force it to COW. We want to be the *only* owner
415 * so that it can be modified in place, so remove it from the hash
416 * table in that case. We'll add it (or its replacement) back later.
418 if (op->mutating && this_inplace) {
419 g_hash_table_remove(old->children, child_name);
422 } else if (op->create_dirs) {
423 if (op->dom_id && op->new_nr_nodes >= XS_MAX_DOMAIN_NODES) {
428 child = xs_node_new();
431 * If we're creating a new child, we can clearly modify it (and its
432 * children) in place from here on down.
441 * If there's a watch on this node, add it to the list to be fired
442 * (with the correct full pathname for the modified node) at the end.
445 op->watches = g_list_append(op->watches, watch);
449 * Except for the temporary child-stealing as noted, our node has not
450 * changed yet. We don't yet know the overall operation will complete.
452 err = xs_node_walk(&child, op);
455 op->watches = g_list_remove(op->watches, watch);
458 if (err || !op->mutating) {
460 /* Put it back as it was. */
461 g_hash_table_replace(old->children, g_strdup(child_name), child);
463 xs_node_unref(child);
469 * Now we know the operation has completed successfully and we're on
470 * the way back up. Make the change, substituting 'child' in the
474 *n = xs_node_copy(old);
479 * The child may be NULL here, for a remove operation. Either way,
480 * xs_node_add_child() will do the right thing and return a value
481 * indicating whether it changed the parent's hash table or not.
483 * We bump the parent gencnt if it adds a child that we *didn't*
484 * steal from it in the first place, or if child==NULL and was
485 * thus removed (whether we stole it earlier and didn't put it
486 * back, or xs_node_add_child() actually removed it now).
488 if ((xs_node_add_child(*n, child_name, child) && !stole_child) || !child) {
493 op->path[namelen] = '\0';
495 assert(!op->watches);
497 * On completing the recursion back up the path walk and reaching the
498 * top, assign the new node count if the operation was successful. If
499 * the main tree was changed, bump its tx ID so that outstanding
500 * transactions correctly fail. But don't bump it every time; only
501 * if it makes a difference.
503 if (!err && op->mutating) {
504 if (!op->in_transaction) {
505 if (op->s->root_tx != op->s->last_tx) {
506 op->s->root_tx = next_tx(op->s);
508 op->s->nr_nodes = op->new_nr_nodes;
510 XsTransaction *tx = g_hash_table_lookup(op->s->transactions,
511 GINT_TO_POINTER(op->tx_id));
513 tx->nr_nodes = op->new_nr_nodes;
520 static void append_directory_item(gpointer key, gpointer value,
523 GList **items = user_data;
525 *items = g_list_insert_sorted(*items, g_strdup(key), (GCompareFunc)strcmp);
528 /* Populates items with char * names which caller must free. */
529 static int xs_node_directory(XsNode **n, struct walk_op *op)
531 GList **items = op->op_opaque;
536 if ((*n)->children) {
537 g_hash_table_foreach((*n)->children, append_directory_item, items);
540 if (op->op_opaque2) {
541 *(uint64_t *)op->op_opaque2 = (*n)->gencnt;
547 static int validate_path(char *outpath, const char *userpath,
550 size_t i, pathlen = strlen(userpath);
552 if (!pathlen || userpath[pathlen] == '/' || strstr(userpath, "//")) {
555 for (i = 0; i < pathlen; i++) {
556 if (!strchr(XS_VALID_CHARS, userpath[i])) {
560 if (userpath[0] == '/') {
561 if (pathlen > XENSTORE_ABS_PATH_MAX) {
564 memcpy(outpath, userpath, pathlen + 1);
566 if (pathlen > XENSTORE_REL_PATH_MAX) {
569 snprintf(outpath, XENSTORE_ABS_PATH_MAX, "/local/domain/%u/%s", dom_id,
576 static int init_walk_op(XenstoreImplState *s, struct walk_op *op,
577 xs_transaction_t tx_id, unsigned int dom_id,
578 const char *path, XsNode ***rootp)
580 int ret = validate_path(op->path, path, dom_id);
586 * We use *two* NUL terminators at the end of the path, as during the walk
587 * we will temporarily turn each '/' into a NUL to allow us to use that
588 * path element for the lookup.
590 op->path[strlen(op->path) + 1] = '\0';
594 op->mutating = false;
595 op->create_dirs = false;
596 op->in_transaction = false;
601 if (tx_id == XBT_NULL) {
603 op->new_nr_nodes = s->nr_nodes;
605 XsTransaction *tx = g_hash_table_lookup(s->transactions,
606 GINT_TO_POINTER(tx_id));
611 op->new_nr_nodes = tx->nr_nodes;
612 op->in_transaction = true;
618 int xs_impl_read(XenstoreImplState *s, unsigned int dom_id,
619 xs_transaction_t tx_id, const char *path, GByteArray *data)
622 * The data GByteArray shall exist, and will be freed by caller.
623 * Just g_byte_array_append() to it.
629 ret = init_walk_op(s, &op, tx_id, dom_id, path, &n);
633 op.op_fn = xs_node_get_content;
635 return xs_node_walk(n, &op);
638 int xs_impl_write(XenstoreImplState *s, unsigned int dom_id,
639 xs_transaction_t tx_id, const char *path, GByteArray *data)
642 * The data GByteArray shall exist, will be freed by caller. You are
643 * free to use g_byte_array_steal() and keep the data. Or just ref it.
649 ret = init_walk_op(s, &op, tx_id, dom_id, path, &n);
653 op.op_fn = xs_node_add_content;
656 op.create_dirs = true;
657 return xs_node_walk(n, &op);
660 int xs_impl_directory(XenstoreImplState *s, unsigned int dom_id,
661 xs_transaction_t tx_id, const char *path,
662 uint64_t *gencnt, GList **items)
665 * The items are (char *) to be freed by caller. Although it's consumed
666 * immediately so if you want to change it to (const char *) and keep
667 * them, go ahead and change the caller.
673 ret = init_walk_op(s, &op, tx_id, dom_id, path, &n);
677 op.op_fn = xs_node_directory;
678 op.op_opaque = items;
679 op.op_opaque2 = gencnt;
680 return xs_node_walk(n, &op);
683 int xs_impl_transaction_start(XenstoreImplState *s, unsigned int dom_id,
684 xs_transaction_t *tx_id)
688 if (*tx_id != XBT_NULL) {
692 if (dom_id && s->nr_domu_transactions >= XS_MAX_TRANSACTIONS) {
696 tx = g_new0(XsTransaction, 1);
698 tx->nr_nodes = s->nr_nodes;
699 tx->tx_id = next_tx(s);
700 tx->base_tx = s->root_tx;
701 tx->root = xs_node_ref(s->root);
704 g_hash_table_insert(s->transactions, GINT_TO_POINTER(tx->tx_id), tx);
706 s->nr_domu_transactions++;
712 static int transaction_commit(XenstoreImplState *s, XsTransaction *tx)
714 if (s->root_tx != tx->base_tx) {
717 xs_node_unref(s->root);
720 s->root_tx = tx->tx_id;
721 s->nr_nodes = tx->nr_nodes;
724 * XX: Walk the new root and fire watches on any node which has a
725 * refcount of one (which is therefore unique to this transaction).
730 int xs_impl_transaction_end(XenstoreImplState *s, unsigned int dom_id,
731 xs_transaction_t tx_id, bool commit)
734 XsTransaction *tx = g_hash_table_lookup(s->transactions,
735 GINT_TO_POINTER(tx_id));
737 if (!tx || tx->dom_id != dom_id) {
742 ret = transaction_commit(s, tx);
745 g_hash_table_remove(s->transactions, GINT_TO_POINTER(tx_id));
747 assert(s->nr_domu_transactions);
748 s->nr_domu_transactions--;
753 int xs_impl_rm(XenstoreImplState *s, unsigned int dom_id,
754 xs_transaction_t tx_id, const char *path)
760 ret = init_walk_op(s, &op, tx_id, dom_id, path, &n);
764 op.op_fn = xs_node_rm;
766 return xs_node_walk(n, &op);
769 int xs_impl_get_perms(XenstoreImplState *s, unsigned int dom_id,
770 xs_transaction_t tx_id, const char *path, GList **perms)
773 * The perms are (char *) in the <perm-as-string> wire format to be
774 * freed by the caller.
779 int xs_impl_set_perms(XenstoreImplState *s, unsigned int dom_id,
780 xs_transaction_t tx_id, const char *path, GList *perms)
783 * The perms are (const char *) in the <perm-as-string> wire format.
788 int xs_impl_watch(XenstoreImplState *s, unsigned int dom_id, const char *path,
789 const char *token, xs_impl_watch_fn fn, void *opaque)
791 char abspath[XENSTORE_ABS_PATH_MAX + 1];
795 ret = validate_path(abspath, path, dom_id);
800 /* Check for duplicates */
801 l = w = g_hash_table_lookup(s->watches, abspath);
803 if (!g_strcmp0(token, w->token) && opaque == w->cb_opaque &&
804 fn == w->cb && dom_id == w->dom_id) {
810 if (dom_id && s->nr_domu_watches >= XS_MAX_WATCHES) {
814 w = g_new0(XsWatch, 1);
815 w->token = g_strdup(token);
817 w->cb_opaque = opaque;
819 w->rel_prefix = strlen(abspath) - strlen(path);
821 /* l was looked up above when checking for duplicates */
826 g_hash_table_insert(s->watches, g_strdup(abspath), w);
829 s->nr_domu_watches++;
832 /* A new watch should fire immediately */
833 fn(opaque, path, token);
838 static XsWatch *free_watch(XenstoreImplState *s, XsWatch *w)
840 XsWatch *next = w->next;
843 assert(s->nr_domu_watches);
844 s->nr_domu_watches--;
853 int xs_impl_unwatch(XenstoreImplState *s, unsigned int dom_id,
854 const char *path, const char *token,
855 xs_impl_watch_fn fn, void *opaque)
857 char abspath[XENSTORE_ABS_PATH_MAX + 1];
861 ret = validate_path(abspath, path, dom_id);
866 w = g_hash_table_lookup(s->watches, abspath);
872 * The hash table contains the first element of a list of
873 * watches. Removing the first element in the list is a
874 * special case because we have to update the hash table to
875 * point to the next (or remove it if there's nothing left).
877 if (!g_strcmp0(token, w->token) && fn == w->cb && opaque == w->cb_opaque &&
878 dom_id == w->dom_id) {
880 /* Insert the previous 'next' into the hash table */
881 g_hash_table_insert(s->watches, g_strdup(abspath), w->next);
883 /* Nothing left; remove from hash table */
884 g_hash_table_remove(s->watches, abspath);
891 * We're all done messing with the hash table because the element
892 * it points to has survived the cull. Now it's just a simple
893 * linked list removal operation.
895 for (l = &w->next; *l; l = &w->next) {
898 if (!g_strcmp0(token, w->token) && fn == w->cb &&
899 opaque != w->cb_opaque && dom_id == w->dom_id) {
900 *l = free_watch(s, w);
908 int xs_impl_reset_watches(XenstoreImplState *s, unsigned int dom_id)
911 guint nr_watch_paths;
914 watch_paths = (char **)g_hash_table_get_keys_as_array(s->watches,
917 for (i = 0; i < nr_watch_paths; i++) {
918 XsWatch *w1 = g_hash_table_lookup(s->watches, watch_paths[i]);
919 XsWatch *w2, *w, **l;
922 * w1 is the original list. The hash table has this pointer.
923 * w2 is the head of our newly-filtered list.
924 * w and l are temporary for processing. w is somewhat redundant
925 * with *l but makes my eyes bleed less.
931 if (w->dom_id == dom_id) {
932 /* If we're freeing the head of the list, bump w2 */
936 *l = free_watch(s, w);
943 * If the head of the list survived the cull, we don't need to
944 * touch the hash table and we're done with this path. Else...
947 g_hash_table_steal(s->watches, watch_paths[i]);
950 * It was already freed. (Don't worry, this whole thing is
951 * single-threaded and nobody saw it in the meantime). And
952 * having *stolen* it, we now own the watch_paths[i] string
953 * so if we don't give it back to the hash table, we need
957 g_hash_table_insert(s->watches, watch_paths[i], w2);
959 g_free(watch_paths[i]);
967 static void xs_tx_free(void *_tx)
969 XsTransaction *tx = _tx;
971 xs_node_unref(tx->root);
976 XenstoreImplState *xs_impl_create(void)
978 XenstoreImplState *s = g_new0(XenstoreImplState, 1);
980 s->watches = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, NULL);
981 s->transactions = g_hash_table_new_full(g_direct_hash, g_direct_equal,
984 s->root = xs_node_new();
985 #ifdef XS_NODE_UNIT_TEST
986 s->root->name = g_strdup("/");
989 s->root_tx = s->last_tx = 1;
OSDN Git Service
